Bugtraq mailing list archives
singapore v0.9.11 cross site scripting and path disclosure
From: thegreatone2176 () yahoo com
Date: 12 Jun 2005 21:16:24 -0000
Because of singapores heavy use of classes it has multiple path disclosure occurences. The following pages all produced class related errors when navigating directly to them in your browser. gallery/includes/admin.class.php templates/admin_default/ all the .tpl.php files templates/default/ all the the .tpl.php files Also the gallery $_GET parameter on www.site.com/index.php is not properly checked leading to cross site scripting. We used http://www.site.com/index.php?gallery=%3Cimg%20onmouseover=%22alert('hi')%22%20style=%22position:%20absolute;%20top:0px;%20left:%200px;%20width:%201000%;%20height:%201000%;%22%3E and other similar scripts to produce the xss.
Current thread:
- singapore v0.9.11 cross site scripting and path disclosure thegreatone2176 (Jun 13)